?
Solved

Is there a way to block a GPO from reaching a particular computer without putting the computer in an OU with block inheritance set?

Posted on 2008-10-15
5
Medium Priority
?
396 Views
Last Modified: 2010-04-21
Is there a way to block a GPO from reaching a particular computer without putting the computer in an OU with block policy inheritance set?  I want to block a software GPO policy on particular computers, but I don't want to move the computer(s) to their own OU.

Thank you!
0
Comment
Question by:cc_mbx
5 Comments
 
LVL 13

Accepted Solution

by:
martin_babarik earned 800 total points
ID: 22728410
Hello.

yes it quite simple: put all of those computers to a security group and in Group policy management console select the GPO you want to block, switch to a Delegation tab, add a group here to a list, then select the group, click Advanced and assign them Deny permission for Read and Apply group policy object.
Martin
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 400 total points
ID: 22729395
It's important to note that the computers in question will need to be rebooted after they have been added to the security group in question.
0
 
LVL 6

Assisted Solution

by:deiaccord
deiaccord earned 800 total points
ID: 22729539
Another alternative is when you link the GPO associate it with a WMI filter.

To create a WMI filter under Group Policy Management you should have a WMI filters section for the domain in question. Create a new filter with settings something like the below

Namespace: root\CIMV2
Query: SELECT * FROM Win32_ComputerSystem WHERE Name <> 'Computer1' OR Name <> 'Computer2'

Attach this to your GPO and computers called Computer1 or Computer2 will not get the GPO applied to them
0
 
LVL 13

Expert Comment

by:martin_babarik
ID: 22729705
Thank you Laura for adding this comment, quite important:-)
Martin
0
 

Author Closing Comment

by:cc_mbx
ID: 31506608
Thank you!
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question